Lucene search
+L

82307 matches found

snyk
snyk
added 6 days ago3 views

CSV Injection

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to CSV Injection through the postActivityReport process. An attacker can cause arbitrary formula execution in spreadsheet software by injecting a specially crafted User-Agent...

7.3CVSS6.3AI score0.00234EPSS
Exploits0References2
cve
cve
added 6 days ago7 views

CVE-2026-47422

CVE-2026-47422 affects the Frappe framework. An endpoint in reportview allowed unrestricted access to save_report due to missing permission checks prior to versions 15.107.5 and 16.18.2. The issue is fixed in those versions (15.107.5 and 16.18.2). The provided references include a GitHub advisory...

5.3CVSS6.1AI score0.00278EPSS
Exploits0References1
nvd
nvd
added 6 days ago6 views

CVE-2026-55515

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...

5CVSS0.00256EPSS
Exploits1References3
nvd
nvd
added 6 days ago8 views

CVE-2026-55452

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...

7.3CVSS0.00234EPSS
Exploits0References3
cve
cve
added 6 days ago11 views

CVE-2026-55452

CVE-2026-55452 concerns Snipe-IT (IT asset/license management) where pre-8.5.0 builds store the User-Agent header via Actionlog::logaction() and export it in Activity Report CSV without formula escaping. This allows a low-privileged authenticated user to inject a formula-like payload that can exe...

7.3CVSS6.2AI score0.00234EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 6 days ago32 views

CVE-2026-55452 Snipe-IT: CSV formula injection in Activity Report export

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...

4.8CVSS0.00234EPSS
Exploits0References3
osv
osv
added 6 days ago3 views

CVE-2026-55452 Snipe-IT: CSV formula injection in Activity Report export

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...

4.8CVSS6.2AI score0.00234EPSS
Exploits0References5
cve
cve
added 6 days ago8 views

CVE-2026-55515

CVE-2026-55515 affects Snipe-IT prior to version 8.6.2. The unaccepted-assets report delete endpoint erroneously authorizes on a global ID: it allows a reports user in one company to delete pending CheckoutAcceptance records for another company by calling CheckoutAcceptance::pending()->find($a...

5CVSS6.1AI score0.00256EPSS
Exploits1References3Affected Software1
cvelist
cvelist
added 6 days ago31 views

CVE-2026-55515 Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...

5CVSS0.00256EPSS
Exploits1References3
osv
osv
added 6 days ago2 views

CVE-2026-55515 Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...

5CVSS6.1AI score0.00256EPSS
Exploits1References5
nvd
nvd
added 6 days ago7 views

CVE-2026-15376

A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor...

6.5CVSS0.00256EPSS
Exploits0References5
vulnrichment
vulnrichment
added 6 days ago8 views

CVE-2026-15376 Eleveo Call Recording Software statisticReportAction.do improper authorization

A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor...

6.5CVSS6.3AI score0.00256EPSS
Exploits0References5
euvd
euvd
added 6 days ago7 views

EUVD-2026-42934

A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor...

6.5CVSS6.3AI score0.00256EPSS
Exploits0References5
wolfi
wolfi
added 6 days ago7 views

GHSA-XXHW-P6QC-4J2J vulnerabilities

Vulnerabilities for packages: chromium...

6.1AI score
Exploits0
patchstack
patchstack
added 6 days ago6 views

WordPress Dokan plugin <= 5.0.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin Dokan versions = 5.0.6...

7.1CVSS6.1AI score0.0018EPSS
Exploits0Affected Software1
cve
cve
added 6 days ago10 views

CVE-2026-15332

Technical details about CVE-2026-15332 are not publicly available in the provided documents; monitor for updates.

6.5CVSS6.2AI score0.00209EPSS
Exploits0References6
circl
circl
added 6 days ago5 views

CVE-2026-59832

creationtimestamp| type| source ---|---|--- 2026-07-10 00:17:11+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqauoqehek25 2026-07-10 03:01:24+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mqb5uebh3r25...

7.7CVSS5.9AI score0.00316EPSS
Exploits0References2
nvd
nvd
added last week6 views

CVE-2026-51924

An issue in docuForm GmbH Client v.11.11c allows a remote attacker to execute arbitrary code via the file upload and report.php component...

8.1CVSS0.0033EPSS
Exploits0References2
cgr
cgr
added last week6 views

GHSA-MXR8-RXWP-G4GX vulnerabilities

Vulnerabilities for packages: chromium...

5.9AI score
Exploits0
cgr
cgr
added last week6 views

GHSA-C6M6-6997-FXFH vulnerabilities

Vulnerabilities for packages: chromium...

5.9AI score
Exploits0
Rows per page
Query Builder